← Main Article Technical Annexure API Surface Terms of Reference

Terms of Reference for Investigation & Demands for Disclosure

Published: 30 May 2026 | Cashless Consumer | Main Article

Purpose

This document proposes a formal framework for investigating the CBSE On-Screen Marking (OSM) controversy. It is grounded in India's Right to Information Act, 2005; the Information Technology Act, 2000; the Digital Personal Data Protection Act, 2023; and internationally recognised principles of democratic oversight of digital public infrastructure.

It is not a legal document. It is a citizen's framework — one that any journalist, parliamentarian, student, parent, or civil-society body may adopt, adapt, and file.

I. Background & Scope

1.1 What happened

In February–March 2026, the Central Board of Secondary Education (CBSE) conducted Class 12 board examinations for 17,80,365 registered students. Answer sheets were graded on an On-Screen Marking platform operated by Coempt EduTeck Pvt. Ltd., a Hyderabad-based company, at cbse.onmark.co.in.

Independent security researchers disclosed critical vulnerabilities in the platform, including authentication bypass, client-side OTP validation, and unauthorised access to evaluation interfaces. OSINT analysis revealed that the vendor's own employees had published internal QA automation code on public GitHub repositories, and that the same OnMark platform serves at least 30 state boards and universities on identical infrastructure.

1.2 Why a formal investigation is warranted

Scale of impact: 17.8 lakh students' exam results depend on the integrity of a single vendor's platform.
Multi-board reuse: The same platform is used by state boards across India — a vulnerability or misconfiguration in one instance potentially compromises all.
Procurement irregularities: Evidence suggests CBSE amended tender criteria to favour Coempt EduTeck, removing blacklist and cooling-off period requirements before awarding the contract.
Vendor track record: Coempt's 2019 Telangana university evaluation contract was cancelled after grading complaints, and the company was blacklisted by the Telangana government before being cleared by courts.
Data sovereignty: Answer sheets of minor students — containing personally identifiable handwritten data — are processed on a private vendor's cloud infrastructure with no publicly disclosed data-residency or data-protection audit.
Leaked internal code: The vendor's own QA automation code, containing page-object models matching the live portal's DOM structure, was published on GitHub by Coempt employees — indicating poor internal security culture.

1.3 Scope of this document

This framework covers four domains:

Procurement & due diligence — Was the contract awarded lawfully? Was the vendor properly vetted?
Technical & security audit — Is the platform secure? Was it tested before deployment?
Data protection & privacy — How are student answer sheets stored, processed, and protected?
Democratic accountability & transparency — What must the government disclose, and under what legal authority?

II. Investigation Terms of Reference

2.1 Procurement & Due Diligence

#	Question	Document / Evidence Sought
1	What was the original tender specification for the OSM contract? What were the technical qualification criteria?	Original tender document (2025_MHRD_858645_1), corrigenda, and all amendments
2	When and why were the blacklist and cooling-off period clauses removed from the tender?	Corrigendum or amendment document, internal noting file, decision-making chain
3	Who approved the removal of these clauses? Was the approval documented?	File notings, approval chain, minutes of relevant committee meetings
4	How many bids were received? What were the technical scores of each bidder?	Bid evaluation committee report, technical scoring sheets
5	Was Coempt EduTeck — or its predecessor entity Globarena Technologies — declared ineligible by any government body at the time of bidding?	Blacklist/greylist records from GeM, State procurement portals, Telangana government
6	What due diligence was performed on Coempt's past performance, including the 2019 Telangana cancellation?	Due diligence report, vendor assessment questionnaire
7	What is the financial relationship between Coempt EduTeck and Globarena Technologies? Are they the same legal entity under different names?	Corporate filings (MCA-21), Tofler/Zaubacorp company profiles, shareholding patterns
8	What is the total contract value? What are the payment milestones?	Contract document, purchase order, payment records
9	Were any intermediaries, consultants, or agents involved in the procurement process?	Declaration of interest forms, consultant agreements

2.2 Technical & Security Audit

#	Question	Document / Evidence Sought
10	Was a security audit conducted on the OSM platform before deployment? By whom?	Audit report, auditor credentials (CERT-In empanelled?), audit scope and methodology
11	Were the vulnerabilities disclosed by Nisarga Adhikary known to CBSE or Coempt before public disclosure?	Internal vulnerability management records, CERT-In reporting correspondence
12	What was the timeline of platform changes between mock evaluation (24 February) and live evaluation?	Deployment logs, change management records, release notes
13	Is the platform's source code subject to any security review by CBSE, NIC, or CERT-In?	Source code escrow agreement, code review reports
14	What authentication mechanisms protect evaluator access? Is multi-factor authentication enforced?	Architecture documentation, security configuration records
15	Are evaluator credentials shared, reused, or rotated? How are compromised credentials handled?	Credential management policy, incident response procedures
16	Is there rate-limiting, anomaly detection, or intrusion monitoring on the OSM portal?	Security operations documentation, WAF/IDS configuration
17	What infrastructure does the platform run on? Cloud provider, geographic location of servers, data residency?	Infrastructure architecture document, SLA with cloud provider
18	Was the platform penetration-tested by an independent third party? What were the findings?	Pentest report (redacted if necessary), remediation tracker

2.3 Data Protection & Privacy

#	Question	Document / Evidence Sought
19	What categories of personal data are collected and processed by the OSM platform?	Data flow diagram, data inventory register
20	Answer sheets contain handwritten names, roll numbers, school names, and photographs. Are these classified as personally identifiable data under the DPDPA, 2023?	Data classification policy, DPIA (Data Protection Impact Assessment)
21	Where is the data stored? Is it stored within India? Is it encrypted at rest and in transit?	Infrastructure documentation, encryption policy, data residency certification
22	Who has access to the raw answer sheet images? Are access logs maintained?	Access control matrix, audit logs (last 12 months)
23	How long are answer sheet images retained after results are declared? What is the deletion policy?	Data retention policy, deletion certificates
24	Were students and parents informed about the use of a private vendor's platform for processing their examination data?	Privacy notice, consent mechanism (if any)
25	Is there a data breach notification procedure? Has any breach been reported?	Incident response plan, breach notification records
26	Does the contract include provisions for CBSE/NIC to audit the vendor's data practices?	Contract clauses on audit rights, data access, breach notification

2.4 Democratic Accountability & Transparency

#	Question	Document / Evidence Sought
27	What is CBSE's policy on engaging private vendors for mission-critical examination infrastructure?	Vendor engagement policy, risk assessment framework
28	Was the Ministry of Education consulted or informed about the security disclosures?	Ministry correspondence, inter-ministerial notes
29	Did CBSE report the vulnerabilities to CERT-In as required under the IT Act?	CERT-In reporting records, acknowledgement from CERT-In
30	Is there a Business Continuity / Disaster Recovery plan for the OSM platform? Was it tested?	BCP/DR documentation, test results
31	What is the exit strategy if the vendor relationship is terminated? Can CBSE migrate to an alternative platform?	Exit clause in contract, data migration plan, source code escrow
32	Are other boards using the same OnMark platform aware of the security disclosures?	Communication records with state boards
33	What oversight mechanisms exist for ongoing platform security — during and between examination cycles?	Governance framework, security review schedule

III. Demands for Disclosure

Demand 1: Full procurement disclosure

Under the RTI Act, 2005 (Section 4(1)(b)), CBSE must proactively disclose all tender documents, bid evaluations, and contract award decisions. We demand:

Publication of the complete tender file, including all corrigenda and amendments
Publication of the bid evaluation committee's technical scoring for all bidders
Disclosure of the file notings documenting the removal of blacklist/cooling-off clauses
Full contract document with Coempt EduTeck (redacting only commercially sensitive pricing if necessary, subject to RTI scrutiny)

Demand 2: Independent security audit

Under Section 70B of the IT Act, 2000, CERT-In is designated as the national nodal agency for cyber security. We demand:

CERT-In conduct or commission a full penetration test and source code review of the OSM platform, covering all board instances — not just CBSE
The audit report be published in redacted form, with executive summary and severity ratings for each finding
The audit cover: authentication, authorisation, data encryption, access logging, infrastructure security, and vulnerability management
A timeline for remediation of all critical and high-severity findings, with public progress updates

Demand 3: Data protection compliance disclosure

Under the DPDPA, 2023, and pending Data Protection Board rules, we demand:

A complete Data Protection Impact Assessment for the OSM platform, covering all personal data categories processed
Disclosure of data residency — the geographic location(s) where answer sheet images are stored
Publication of the data retention and deletion policy for answer sheet images
Disclosure of whether students/parents were provided a privacy notice before their data was processed on a private vendor's platform
Publication of the data breach notification procedure and confirmation that no unreported breaches have occurred

Demand 4: Multi-board notification

Given that the OnMark platform serves at least 30 state boards and universities, we demand:

CBSE notify all other boards using the OnMark platform of the security findings
The Ministry of Education issue an advisory to all state education boards on vendor security due diligence for digital examination platforms
Each board disclose whether it has conducted its own security audit of its OnMark instance

Demand 5: Vendor accountability

Coempt EduTeck's internal QA code was published on public GitHub repositories, containing page-object models matching the live evaluation portal. This indicates a failure of internal information security practices. We demand:

CBSE investigate the circumstances under which Coempt employees published internal code on public repositories
Coempt EduTeck provide an incident report explaining how this occurred and what remedial actions have been taken
CBSE evaluate whether Coempt EduTeck has complied with contractual information security requirements
If contractual security requirements were not met, CBSE invoke applicable penalty clauses

Demand 6: Parliamentary oversight

Examination integrity is a fundamental public interest. We demand:

The Parliamentary Standing Committee on Education take up the matter for formal review
The committee examine CBSE's vendor management practices for all mission-critical examination technology
The committee assess whether existing procurement rules are adequate for digital examination platforms
Consider a framework for mandatory security auditing of all digital examination infrastructure used by public examination bodies in India

IV. Legal Basis for Disclosure Demands

Right to Information Act, 2005

Section 4(1)(b) requires public authorities to proactively disclose: (ii) the powers and duties of its officers and employees; (iii) the procedure followed in the decision-making process; (iv) the norms set by it for the discharge of its functions; (v) the rules, regulations, instructions, manuals and records used by its employees; and (vi) a statement of the categories of documents held by it.

Tender documents and contract details for CBSE — a public authority under the RTI Act — are mandatorily disclosable. The Supreme Court of India has held in CBSE v. Aditya Bandopadhyay (2011) that examination-related information must be disclosed unless it falls under a specific exemption under Section 8.

Information Technology Act, 2000

Section 70A mandates that designated entities (including critical information infrastructure) comply with prescribed security practices. Section 43A requires that any body corporate handling sensitive personal data implement reasonable security practices. Section 72A criminalises disclosure of personal information in breach of a lawful contract.

The handling of minor students' examination data — handwritten answer sheets containing personally identifiable information — by a private vendor triggers both Section 43A (reasonable security practices) and, arguably, Section 70A obligations for CBSE as the data fiduciary.

Digital Personal Data Protection Act, 2023

The DPDPA imposes obligations on data fiduciaries (CBSE, as the entity determining the purpose of processing) and data processors (Coempt EduTeck, as the entity processing on CBSE's behalf). Key obligations include:

Notice (Section 5): Students/parents must be notified of the collection and processing of their personal data
Purpose limitation (Section 6): Data may only be processed for the purpose for which it was collected
Data retention (Section 8): Data must not be retained beyond the purpose for which it was collected
Security safeguards (Section 8): Reasonable security safeguards must be implemented
Breach notification (Section 8(7)): The data fiduciary must notify the Data Protection Board and affected individuals of breaches

Constitutional Framework

The Supreme Court of India has recognised the right to privacy as a fundamental right under Article 21 in K.S. Puttaswamy v. Union of India (2017). The processing of examination data of minor students — a category requiring heightened protection under the DPDPA — engages both the right to privacy and the right to education (Article 21A). Any failure to protect this data is a failure of the state's duty to safeguard fundamental rights.

V. International Standards for Reference

While this investigation is specific to India, the following international frameworks provide useful benchmarks:

Framework	Relevance
OECD Principles on AI (2024 update)	Transparency, accountability, and security requirements for AI systems deployed in public services — including automated grading
ISO 27001	International standard for information security management systems — relevant for evaluating Coempt's security posture
ISO 27701	Extension to ISO 27001 for privacy information management — directly applicable to processing of student examination data
GDPR (EU)	While not binding in India, GDPR's requirements for DPIA, data protection by design, and breach notification provide useful comparative standards
UN Guiding Principles on Business and Human Rights	Establishes the responsibility of business enterprises (including Coempt) to respect human rights, including the right to privacy

VI. How to File RTI Applications

Below are suggested RTI queries that citizens can file. Each query should be filed with the relevant Central Public Information Officer (CPIO) of CBSE. Queries may be adapted for state boards using the OnMark platform.

Note: RTI applications can be filed online at rtionline.gov.in for a fee of &rupee;10. The CPIO is required to respond within 30 days (Section 7(1)). Appeals lie with the First Appellate Authority and subsequently the Central Information Commission.

6.1 Suggested RTI Queries — Procurement

"Please provide the complete tender document, including all corrigenda and amendments, for the On-Screen Marking (OSM) system contract awarded to Coempt EduTeck Pvt. Ltd. for CBSE Class 12 evaluation, 2026."
"Please provide the bid evaluation committee's report, including technical scoring for each bidder, for the above tender."
"Please provide the file notings documenting the removal of the blacklist/cooling-off period clause from the OSM tender specifications."
"Please provide the due diligence report prepared by CBSE on Coempt EduTeck Pvt. Ltd. prior to contract award."

6.2 Suggested RTI Queries — Security

"Please provide all security audit reports conducted on the OSM platform (cbse.onmark.co.in) prior to and during the 2026 evaluation cycle."
"Please provide the timeline of platform changes (deployments, patches, configuration changes) between the mock evaluation on 24 February 2026 and the start of live evaluation."
"Please provide the complete list of vulnerabilities reported to CBSE or CERT-In regarding the OSM platform, along with remediation status."
"Please provide the disaster recovery / business continuity plan for the OSM platform."

6.3 Suggested RTI Queries — Data Protection

"Please provide the Data Protection Impact Assessment (DPIA) for the OSM platform, covering the processing of student answer sheet data."
"Please provide the data retention and deletion policy for answer sheet images processed on the OSM platform."
"Please provide the privacy notice provided to students and parents regarding the processing of their examination data on the OSM platform."
"Please provide the data breach notification records, if any, for the OSM platform since deployment."

VII. For Journalists & Researchers

This investigation is open-source. All evidence is archived and published:

Full writeup: Main Article · Impacted Entities
Technical evidence: Technical Annexure
API surface documentation: API Surface Annexure
Evidence archive: zo.pub/cashlessconsumer/cbse-osm-onmarks-osint

GitHub repositories referenced in this investigation (all public as of 30 May 2026; archived locally with full git history):

segrgokul (Coempt employee, Hyderabad): KNR_Automation_Coempt, coempt_Automation, New_Coempt_Automation, Coempt_Automation_2024, Coempt_Automation_New, OCR_To_Text_Automation, coempt_Automation_For_Facebook_Login, Ocr_To_Text_Automation_Read_PDF_Write_Excel
akhi101 (independent researcher): SBTET_AUDIT, sbtet_login_audit
viswanthp (independent researcher): AP_SBTET_AUDIT
Sarthak-Sidhant (student researcher): coempt (tender analysis + Tofler reports)
coempt (organisation): coempt

Cite this document as: Cashless Consumer, "Terms of Reference for Investigation: CBSE On-Screen Marking Controversy," 30 May 2026.

Disclaimer: This document is published for public interest and journalistic purposes. It does not constitute legal advice. The suggested RTI queries are templates and should be adapted by the filer. The authors have not accessed any live evaluation system; all findings are based on passive OSINT from public sources.